Microsoft fudging around with independent mail again

Fri, Sep 12, 2025

Ok, so I’ve been hosting e-mail for 15 years now. Not just for myself, mind you, but also for a considerably sized academic institution at some point. Let’s just say I know what spam is and what blocklists and IP reputations are. This is not my first rodeo, or my second for that matter. Still, Microsoft just threw me a new one. Out of the blue, a week or two ago, Microsoft decided to stop delivering mail TO ME. I’m completely familiar with the big providers like Microsoft refusing to accept mail FROM ME, but this one is truly new. The only solution? I had to change the IP for my incoming mail service (MX), both IPv4 and IPv6. Once I did that, things started working again.. for now reason. Now I’m a very grumpy nerd!

Right, logs or it didn’t happen right? Well, mail logs can be confidential so I’m posting only a few snippets here. Trust me, I have reams of this stuff here.

Sep 12 19:38:23 mail postfix/smtpd[32656]: connect from mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]
...
Sep 12 19:38:23 mail postfix/smtpd[32656]: > mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]: 220 mx.area536.com ESMTP Postfix
...
Sep 12 19:38:23 mail postfix/smtpd[32656]: < mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]: EHLO AS8PR04CU009.outbound.protection.outlook.com
...
Sep 12 19:38:23 mail postfix/smtpd[32656]: < mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]: STARTTLS
Sep 12 19:38:23 mail postfix/smtpd[32656]: > mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]: 220 2.0.0 Ready to start TLS
...
Sep 12 19:38:23 mail postfix/smtpd[32656]: Anonymous TLS connection established from mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange secp384r1 server-signature ECDSA (prime256v1) server-digest SHA256
...
Sep 12 19:38:23 mail postfix/smtpd[32656]: < mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]: QUIT
Sep 12 19:38:23 mail postfix/smtpd[32656]: > mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32]: 221 2.0.0 Bye
...
Sep 12 19:38:23 mail postfix/smtpd[32656]: disconnect from mail-westeuropeazolkn19011032.outbound.protection.outlook.com[52.103.33.32] ehlo=1 starttls=1 quit=1 commands=3
Sep 12 19:38:23 mail postfix/smtpd[32656]: connection closed

It’s massively verbose so I snipped a bunch of debug info from the log. What I see happening here is Microsoft ...outbound.protection.outlook.com connecting to my machine over IPv4 using 52.103.33.32 which is fine. It does the familiar SMTP handshake and dutifully engages in a TLS encryption handshake. That’s a good thing because I like my mail to be encrypted in transit. And just as well we see that a TLSv1.3 connection comes into being. This is the point where I’d expect Microsoft to start offering me the e-mail that it obviously has for me. Instead, though, we get an SMTP QUIT command and the connection simply hangs up.

I tested this extensively from Hotmail and other Microsoft properties like LinkedIn. They all have this problem where I know for a fact that mail is on its way to me, but it never gets delivered. Well.. never.. I have to admit that I didn’t wait multiple days for this to fix itself. Obviously I tried to get in touch with Microsoft, but other than a message that my IP space is not in any reputation trouble.. crickets. They don’t understand the question.

So what did I do? I plugged a Raspberry Pi into a switch at my house, popped it into a VLAN of its own with a firewall around it and straight out COPIED OVER my current production Postfix setup verbatim. Of course I had to twiddle a few minimal bits to fit it into a different network environment but it was otherwise identical. I changed my MX record in DNS, waited for the TTL, and sent myself an e-mail from Hotmail.. which was promptly delivered with zero fuss.

Obviously I went over my production environment. Certificates are fine, IP-space was checked, no blocklisting going on at all. Other big corps like Gmail have absolutely no issue whatsoever delivering mail to my address as did a considerable number of other third parties like mailing lists and whatnot. This really is ONLY Microsoft.

…and then it suddenly cleared itself up! I kept testing from time to time and suddenly, after flicking my MX back to the original, Microsoft started delivering again. Wut!? Yep.. just like that. Until it stopped again, so I was forced to flip the whole shebang back again. I’m going to leave this running for a longer time now to see if my home IP eventually gets the same treatment, but I find it extremely suspicious indeed! And it’s not like routable IPv4 space grows on trees for geeks on a budget here.